Cybersecurity researchers have uncovered a newly identified botnet operation named SSHStalker, which leverages the Internet Relay Chat, IRC, protocol as its command-and-control infrastructure. The campaign specifically targets Linux systems by exploiting outdated kernel vulnerabilities, many of which date back more than a decade.
According to security firm Flare, the operation combines stealth-focused techniques with older Linux exploitation methods. While the vulnerabilities being abused originate from Linux 2.6.x-era flaws between 2009 and 2010, they remain effective against neglected servers and legacy infrastructure that have not been properly patched.
Targeting Forgotten Linux Infrastructure
SSHStalker does not rely on cutting-edge zero-day exploits. Instead, it capitalizes on long-standing Common Vulnerabilities and Exposures, CVEs, that continue to exist in poorly maintained systems. Although modern enterprise stacks are largely immune to these issues, outdated servers still present viable targets.
The botnet blends automated mass compromise techniques with traditional IRC botnet mechanics. Using SSH scanning tools and publicly available scanners, the attackers search for systems exposing port 22. Once a vulnerable server is identified, it is incorporated into the botnet and enrolled into IRC control channels.
Unlike many botnets that immediately launch distributed denial-of-service attacks, cryptocurrency mining operations, or proxyjacking campaigns, SSHStalker appears to prioritize persistent access. Researchers observed no significant post-exploitation monetization behavior, suggesting the compromised systems may serve as staging infrastructure, testing grounds, or strategic footholds for future operations.
Infection Chain and Payload Deployment
A central element of the campaign is a Golang-based scanner designed to locate servers with exposed SSH services. Once access is achieved, multiple payloads are deployed.
These include variants of an IRC-controlled bot and a Perl-based file bot that connects to an UnrealIRCd server. After joining a designated control channel, the bots await instructions that can trigger flood-style network traffic attacks or allow remote command execution.
To reduce detection risks, the attackers execute C-based programs that tamper with SSH-related logs, including utmp, wtmp, and lastlog files. This log manipulation significantly limits forensic visibility by erasing evidence of unauthorized access.
Additionally, the toolkit contains a keep-alive mechanism that automatically restarts the primary malware process within 60 seconds if it is terminated by security software.
Exploitation of Historical Linux Kernel Vulnerabilities
SSHStalker stands out for integrating automation with a curated library of 16 known Linux kernel vulnerabilities. Some of the exploited flaws include:
- CVE-2009-2692
- CVE-2009-2698
- CVE-2010-3849
- CVE-2010-1173
- CVE-2009-2267
- CVE-2009-2908
- CVE-2009-3547
- CVE-2010-2959
- CVE-2010-3437
These vulnerabilities, although considered obsolete in updated systems, remain exploitable in outdated or unmaintained environments.
Expanded Toolset and Infrastructure Recycling
Flare’s investigation into the actor’s staging infrastructure revealed a significant archive of open-source offensive tools and recycled malware samples. Among the components identified were:
- Rootkits designed for stealth and persistence
- Cryptocurrency mining tools
- A Python script executing a binary called “website grabber” to extract exposed Amazon Web Services, AWS, credentials from vulnerable websites
- EnergyMech, an IRC bot capable of providing remote command execution and centralized C2 control
Researchers believe the threat actor may have Romanian origins, citing Romanian-style nicknames, slang patterns, and naming conventions observed in IRC channels and configuration lists. Operational similarities also suggest overlaps with a known hacking collective referred to as Outlaw, also called Dota.
Operational Discipline Over Innovation
Security analysts emphasize that SSHStalker does not showcase advanced exploit development or zero-day research. Instead, it demonstrates strong operational maturity. The campaign relies heavily on C for low-level bot functionality, shell scripting for orchestration and persistence, and limited Python and Perl scripts for utility tasks within the attack chain.
The actor’s strength lies in automation, infrastructure reuse, and sustained persistence across heterogeneous Linux environments. By targeting long-tail legacy systems, SSHStalker illustrates how outdated infrastructure continues to pose significant cybersecurity risks.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
